Major Cybercrime Arrest: A Breakdown of the XSS.is Operation

Europol’s Significant Announcement

On July 22, 2025, Europol revealed the capture of a key player behind the notorious cybercrime platform, XSS.is (previously known as DaMaGeLaB). The arrest took place in Kyiv, Ukraine, and was a collaborative effort involving the French Police, the Paris Prosecutor’s office, and local Ukrainian law enforcement. This operation marked the culmination of a detailed investigation initiated by French authorities back in July 2021.

Seizing the Cybercrime Hub

Alongside the arrest, law enforcement agencies successfully seized the clearnet domain of XSS.is. When users attempt to access the site, they are now met with a notice stating, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance from the SBU Cyber Department.” This move not only disrupts the operations of the platform but also sends a powerful message about the efforts being made to combat cybercrime.

The Functionality and Reach of XSS.is

The forum had amassed over 50,000 registered users and had established itself as an essential marketplace for illicit goods, including stolen data, hacking tools, and various services. Law enforcement agencies have described XSS.is as a focal point for some of the most active and dangerous cybercriminal networks. These networks often coordinated, advertised, and even recruited new members through this platform.

The arrested individual didn’t just oversee the day-to-day operations; he also played a vital role as a trusted intermediary. By arbitrating disputes among users and ensuring the security of transactions, he facilitated ongoing criminal activities, effectively building a reliable ecosystem for illicit behavior.

Profit from Crime: A Financial Overview

The individual behind XSS.is is also believed to have operated thesecure.biz, a private messaging service designed for cybercriminals. Through these illicit activities, he reportedly generated profits of around €7 million ($8.24 million) primarily from advertising and facilitation fees. Investigators estimate that this person has been involved in the cybercrime field for close to twenty years, maintaining connections with key figures in the industry during that time.

A Look at the Operations of XSS.is

Active since 2013, XSS.is functioned as a comprehensive hub for cybercrime, offering services that ranged from access to compromised systems to ransomware-related offerings. It even featured an encrypted Jabber messaging server, enabling anonymous communication among criminals.

Another significant platform, Exploit, alongside XSS.is, has supported the Russian-speaking cybercriminal infrastructure, with a particular focus on attacking non-Russian-speaking countries. Recent data indicate that XSS has around 48,750 registered users and over 110,000 threads, showcasing its expansive reach.

To facilitate transactions effectively, XSS.is utilized an advanced reputation system. Members could rely on an escrow service appointed by the forum to ensure secure dealings and build up their reputations by making deposits.

Recent Developments in Cybercrime Disruption

The arrest of the XSS.is administrator comes shortly after a Europol-led operation targeting the infrastructure of a pro-Russian hacktivist group named NoName057(16). This group had been involved in conducting DDoS attacks against Ukraine and its allies using a volunteer-driven tool known as DDoSia.

A report from Recorded Future’s Insikt Group revealed that between July 1, 2024, and July 14, 2025, NoName057(16) targeted 3,776 unique hosts. Their targets included government agencies, public-sector entities, and various organizations across Europe, highlighting the group’s intent to disrupt those opposing Russia’s actions in Ukraine.

Target Breakdown and Operational Analysis

Ukraine bore the brunt of these attacks, experiencing the most significant share at 29.47% of the total targets. Other countries significantly affected included France, Italy, and Sweden. Interestingly, the United States was notably absent from the list of attackers, suggesting strategic targeting based on geopolitical tensions.

Analysis of NoName057(16)’s infrastructure has uncovered a sophisticated design featuring rapidly rotating command-and-control (C2) servers, ensuring resilience against law enforcement actions. With around 275 unique Tier 1 servers identified, the group has demonstrated a remarkable ability to maintain operational continuity.

The cybersecurity firm describes NoName057(16) as maintaining a high operational pace, engaging with about 50 unique targets daily. Their attack strategies leverage both network and application-layer DDoS methods, prioritizing high-volume floods aimed at overwhelming server resources to cause disruptions.

Conclusion

The arrest of the XSS.is administrator exemplifies the ongoing international efforts to dismantle cybercrime networks. By targeting crucial figures and disrupting platforms that facilitate illegal activities, law enforcement continues to stake a claim in the fight against cyber threats. With ongoing operations against groups like NoName057(16), the landscape of cybersecurity remains a frontline in global conflicts.